5c8be75b2fd5a6114fc85059acddcca2892d9f18704379aea9630b07223cd507

Analysis

max time kernel
151s
max time network
155s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/10/2022, 22:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5c8be75b2fd5a6114fc85059acddcca2892d9f18704379aea9630b07223cd507.exe
Size

312KB
MD5

6f714f49b64cc297da67de62245448c0
SHA1

78e505fc869e76690ad470689a72e4c1a91309eb
SHA256

5c8be75b2fd5a6114fc85059acddcca2892d9f18704379aea9630b07223cd507
SHA512

b24e1744368f346bd09774d66e5cfd113960d1f1c749cedfb0b02fdb3d1f14df61f804e132e683718493247d9ce1398ee635e34465ec147c2e9730d484626d52
SSDEEP

6144:I0L7L0aK5D5KyLyv9o3keQAGywpB3qSDVJtba7N9:I0L7L5KPFCo3JGTo

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2028	igoq.exe

Deletes itself 1 IoCs

pid	Process
672	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1800	5c8be75b2fd5a6114fc85059acddcca2892d9f18704379aea9630b07223cd507.exe
1800	5c8be75b2fd5a6114fc85059acddcca2892d9f18704379aea9630b07223cd507.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7B4F18C8-4FEF-AD4D-3A07-B8B71A0C9BAA} = "C:\\Users\\Admin\\AppData\\Roaming\\Inyn\\igoq.exe"	igoq.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	igoq.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1800 set thread context of 672	1800	5c8be75b2fd5a6114fc85059acddcca2892d9f18704379aea9630b07223cd507.exe	29

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2028	igoq.exe
2028	igoq.exe
2028	igoq.exe
2028	igoq.exe
2028	igoq.exe
2028	igoq.exe
2028	igoq.exe
2028	igoq.exe
2028	igoq.exe
2028	igoq.exe
2028	igoq.exe
2028	igoq.exe
2028	igoq.exe
2028	igoq.exe
2028	igoq.exe
2028	igoq.exe
2028	igoq.exe
2028	igoq.exe
2028	igoq.exe
2028	igoq.exe
2028	igoq.exe
2028	igoq.exe
2028	igoq.exe
2028	igoq.exe
2028	igoq.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 2028	1800	5c8be75b2fd5a6114fc85059acddcca2892d9f18704379aea9630b07223cd507.exe	28
PID 1800 wrote to memory of 2028	1800	5c8be75b2fd5a6114fc85059acddcca2892d9f18704379aea9630b07223cd507.exe	28
PID 1800 wrote to memory of 2028	1800	5c8be75b2fd5a6114fc85059acddcca2892d9f18704379aea9630b07223cd507.exe	28
PID 1800 wrote to memory of 2028	1800	5c8be75b2fd5a6114fc85059acddcca2892d9f18704379aea9630b07223cd507.exe	28
PID 2028 wrote to memory of 1128	2028	igoq.exe	17
PID 2028 wrote to memory of 1128	2028	igoq.exe	17
PID 2028 wrote to memory of 1128	2028	igoq.exe	17
PID 2028 wrote to memory of 1128	2028	igoq.exe	17
PID 2028 wrote to memory of 1128	2028	igoq.exe	17
PID 2028 wrote to memory of 1224	2028	igoq.exe	16
PID 2028 wrote to memory of 1224	2028	igoq.exe	16
PID 2028 wrote to memory of 1224	2028	igoq.exe	16
PID 2028 wrote to memory of 1224	2028	igoq.exe	16
PID 2028 wrote to memory of 1224	2028	igoq.exe	16
PID 2028 wrote to memory of 1256	2028	igoq.exe	15
PID 2028 wrote to memory of 1256	2028	igoq.exe	15
PID 2028 wrote to memory of 1256	2028	igoq.exe	15
PID 2028 wrote to memory of 1256	2028	igoq.exe	15
PID 2028 wrote to memory of 1256	2028	igoq.exe	15
PID 2028 wrote to memory of 1800	2028	igoq.exe	12
PID 2028 wrote to memory of 1800	2028	igoq.exe	12
PID 2028 wrote to memory of 1800	2028	igoq.exe	12
PID 2028 wrote to memory of 1800	2028	igoq.exe	12
PID 2028 wrote to memory of 1800	2028	igoq.exe	12
PID 1800 wrote to memory of 672	1800	5c8be75b2fd5a6114fc85059acddcca2892d9f18704379aea9630b07223cd507.exe	29
PID 1800 wrote to memory of 672	1800	5c8be75b2fd5a6114fc85059acddcca2892d9f18704379aea9630b07223cd507.exe	29
PID 1800 wrote to memory of 672	1800	5c8be75b2fd5a6114fc85059acddcca2892d9f18704379aea9630b07223cd507.exe	29
PID 1800 wrote to memory of 672	1800	5c8be75b2fd5a6114fc85059acddcca2892d9f18704379aea9630b07223cd507.exe	29
PID 1800 wrote to memory of 672	1800	5c8be75b2fd5a6114fc85059acddcca2892d9f18704379aea9630b07223cd507.exe	29
PID 1800 wrote to memory of 672	1800	5c8be75b2fd5a6114fc85059acddcca2892d9f18704379aea9630b07223cd507.exe	29
PID 1800 wrote to memory of 672	1800	5c8be75b2fd5a6114fc85059acddcca2892d9f18704379aea9630b07223cd507.exe	29
PID 1800 wrote to memory of 672	1800	5c8be75b2fd5a6114fc85059acddcca2892d9f18704379aea9630b07223cd507.exe	29
PID 1800 wrote to memory of 672	1800	5c8be75b2fd5a6114fc85059acddcca2892d9f18704379aea9630b07223cd507.exe	29

C:\Users\Admin\AppData\Local\Temp\5c8be75b2fd5a6114fc85059acddcca2892d9f18704379aea9630b07223cd507.exe
"C:\Users\Admin\AppData\Local\Temp\5c8be75b2fd5a6114fc85059acddcca2892d9f18704379aea9630b07223cd507.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Users\Admin\AppData\Roaming\Inyn\igoq.exe
  "C:\Users\Admin\AppData\Roaming\Inyn\igoq.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2028
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpbe49fa43.bat"
  2⤵
  - Deletes itself
  PID:672

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1224

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpbe49fa43.bat

Filesize
307B

MD5
a13cbba2668032650ab2adeff42377e2

SHA1
a69c18d27d1845f4b6011e4ba414bb83cc08eba6

SHA256
412dacf4aba75f64b12bda7c96401455dc6bc3a030af14b6edcbe3b9ce1e1db2

SHA512
793a8c22c45b95ba40c93fcab4924c1daad1b07c86e2292d2c146259c27694c07954278a092097b395b9dbd00e5fb40eb86cb18845f2bd141ef85c0b3690f4ee

Download Submit
C:\Users\Admin\AppData\Roaming\Inyn\igoq.exe

Filesize
312KB

MD5
f4c93f685cf9e1da2732f74b50c3b032

SHA1
1eed0a675b0602ca216903110ac3d59c3ea9d47d

SHA256
02fce951e934716f03237be40e8d28ed47754e8f9d8d6ec129782654848fc863

SHA512
ec641e7cc00bd5ad716de88ee65cb8b326057b26fc2c2508d4d218b4e7df3aaa5f082217a26880fcfb5cee3ea288dbfce2a1902ef67ad7bd31ad208784ccd055

Download Submit
C:\Users\Admin\AppData\Roaming\Inyn\igoq.exe

Filesize
312KB

MD5
f4c93f685cf9e1da2732f74b50c3b032

SHA1
1eed0a675b0602ca216903110ac3d59c3ea9d47d

SHA256
02fce951e934716f03237be40e8d28ed47754e8f9d8d6ec129782654848fc863

SHA512
ec641e7cc00bd5ad716de88ee65cb8b326057b26fc2c2508d4d218b4e7df3aaa5f082217a26880fcfb5cee3ea288dbfce2a1902ef67ad7bd31ad208784ccd055

Download Submit
\Users\Admin\AppData\Roaming\Inyn\igoq.exe

Filesize
312KB

MD5
f4c93f685cf9e1da2732f74b50c3b032

SHA1
1eed0a675b0602ca216903110ac3d59c3ea9d47d

SHA256
02fce951e934716f03237be40e8d28ed47754e8f9d8d6ec129782654848fc863

SHA512
ec641e7cc00bd5ad716de88ee65cb8b326057b26fc2c2508d4d218b4e7df3aaa5f082217a26880fcfb5cee3ea288dbfce2a1902ef67ad7bd31ad208784ccd055

Download Submit
\Users\Admin\AppData\Roaming\Inyn\igoq.exe

Filesize
312KB

MD5
f4c93f685cf9e1da2732f74b50c3b032

SHA1
1eed0a675b0602ca216903110ac3d59c3ea9d47d

SHA256
02fce951e934716f03237be40e8d28ed47754e8f9d8d6ec129782654848fc863

SHA512
ec641e7cc00bd5ad716de88ee65cb8b326057b26fc2c2508d4d218b4e7df3aaa5f082217a26880fcfb5cee3ea288dbfce2a1902ef67ad7bd31ad208784ccd055

Download Submit
memory/672-112-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/672-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/672-113-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/672-101-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/672-115-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/672-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/672-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/672-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/672-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/672-103-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/672-99-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/672-102-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1128-70-0x0000000001E90000-0x0000000001ED8000-memory.dmp

Filesize
288KB

Download
memory/1128-67-0x0000000001E90000-0x0000000001ED8000-memory.dmp

Filesize
288KB

Download
memory/1128-69-0x0000000001E90000-0x0000000001ED8000-memory.dmp

Filesize
288KB

Download
memory/1128-71-0x0000000001E90000-0x0000000001ED8000-memory.dmp

Filesize
288KB

Download
memory/1128-72-0x0000000001E90000-0x0000000001ED8000-memory.dmp

Filesize
288KB

Download
memory/1224-78-0x0000000001ED0000-0x0000000001F18000-memory.dmp

Filesize
288KB

Download
memory/1224-75-0x0000000001ED0000-0x0000000001F18000-memory.dmp

Filesize
288KB

Download
memory/1224-76-0x0000000001ED0000-0x0000000001F18000-memory.dmp

Filesize
288KB

Download
memory/1224-77-0x0000000001ED0000-0x0000000001F18000-memory.dmp

Filesize
288KB

Download
memory/1256-82-0x00000000029F0000-0x0000000002A38000-memory.dmp

Filesize
288KB

Download
memory/1256-83-0x00000000029F0000-0x0000000002A38000-memory.dmp

Filesize
288KB

Download
memory/1256-84-0x00000000029F0000-0x0000000002A38000-memory.dmp

Filesize
288KB

Download
memory/1256-81-0x00000000029F0000-0x0000000002A38000-memory.dmp

Filesize
288KB

Download
memory/1800-90-0x0000000001C70000-0x0000000001CB8000-memory.dmp

Filesize
288KB

Download
memory/1800-54-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1800-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1800-95-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1800-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1800-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1800-105-0x0000000001C70000-0x0000000001CB8000-memory.dmp

Filesize
288KB

Download
memory/1800-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1800-89-0x0000000001C70000-0x0000000001CB8000-memory.dmp

Filesize
288KB

Download
memory/1800-96-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1800-88-0x0000000001C70000-0x0000000001CB8000-memory.dmp

Filesize
288KB

Download
memory/1800-87-0x0000000001C70000-0x0000000001CB8000-memory.dmp

Filesize
288KB

Download
memory/1800-55-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1800-56-0x0000000000401000-0x0000000000441000-memory.dmp

Filesize
256KB

Download
memory/1800-57-0x00000000758C1000-0x00000000758C3000-memory.dmp

Filesize
8KB

Download
memory/2028-62-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download